CVE-2026-22815
Memory Exhaustion via Header Handling in AIOHTTP Before
Publication date: 2026-04-01
Last updated on: 2026-04-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| aiohttp | aiohttp | to 3.13.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python. Before version 3.13.4, there were insufficient restrictions in how headers and trailers were handled, which could lead to uncapped memory usage.
How can this vulnerability impact me? :
The vulnerability can cause the application using AIOHTTP to consume an unlimited amount of memory due to improper handling of headers and trailers. This could lead to performance degradation, crashes, or denial of service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update AIOHTTP to version 3.13.4 or later, where the issue with insufficient restrictions in header/trailer handling causing uncapped memory usage has been patched.